Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

BIOS information is often read in order to detect sandboxing environments.

Suspicious access to Credentials History.

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Clear Windows Event Logs to hide the activity of an intrusion.

Email clients store some user data on disk where infostealers will often target it.

Infostealers often target stored browser data, which can include saved credentials etc.

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Detects executables packed with VMProtect commercial packer.

Looks up Uninstall key entries in the registry to enumerate software on the system.

This may indicate a network scan to discover remotely running services.

Attempts to read the root path of hard drives other than the default C: drive.

Adversaries may delete files left behind by the actions of their intrusion activity.

Attempt to gather information on host's network.

Attempt to gather information on host network.

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

AutoIT scripts compiled to PE executables.

Detects executables packed with UPX/modified UPX open source packer.